Khadas Docs

Amazing Khadas, always amazes you!

User Tools

Site Tools

Home / products / sbc / vim3 / applications / secureboot

Sidebar

products:sbc:vim3:applications:secureboot

This is an old revision of the document!

Table of Contents

VIM3/3L Secureboot

WIP:

save temporary

Introduction

The default firmware compiled by Fenix for Ubuntu/Debian does not support Secureboot. For ordinary users, Secureboot functionality is not necessary. Enabling Secureboot means that the board can only flash firmware signed with the same key. It won't be possible to flash any other unsigned firmware or firmware signed with a different key. Additionally, the process of flashing the key is irreversible.

If you need to add Secureboot support, you will require additional patches to enable it.

Apply patches to support secureboot

Download and apply patches . 

~/vim3-secureboot-patches$ tree
.
├── fenix
│   └── 0001-packages-images_upgrade-bump-to-1b40968.patch
└── u-boot
    └── 0001-don-t-decrypt-dtb-when-secureboot-enabled.patch
 
2 directories, 2 files

There 2 patches, one is for Fenix, and the other one is for u-boot.

Compile the images

You can compile the images after apply the patches.

Generate the signing key

Download the sign tool decompress it and double click AmlEToolV3.exe to open it:

![image|526×500](upload:lghDNq2vxsnV1ofkbrYn0nXIvj7.png) Select OneStepGenKey and check 2048 then click Generate to generate the keys: ![2|521×499](upload:9Kyp54MGHtFTvKTsqN4wUIHDKAK.png)

![3|529×500](upload:3FbHjviDbpSWom566xfpY7cHd7M.png) The path of generated keys is in the key directory within the current sign tool's directory, named after the current time, e.g. ![image|690×312](upload:jNHNYHeqd5UvEoAnnwKoMUhNm4m.png)

You need to save the files aml-user-key.sig and SECURE_BOOT_SET:

- aml-user-key.sig - Used to sign the images - SECURE_BOOT_SET - Used to burn the key

Encrypt the images

Still using the sign tool AmlEToolV3.exe, select Entire, import the User Key, which is the file aml-user-key.sig generated before, and also check Only_BootLoader_Encrypt and Disable OTA sign. Then, import the image that needs to be encrypted in the Input:

![4|528×500](upload:mtqNEVaT7ms87YectBEynCGUAoo.png) ![image|690×332](upload:zNSFSR7sccGvplEC1TZVqIPo1Es.png)

![6|521×500](upload:hxAp9FCCRivljCRZwlyB13SEw3A.png) Then click Encrypt to encrypt the image. ![7|521×500](upload:mmwZxq6OQNjC6OY9eyrRSQG297i.png) ![8|524×500](upload:sv5JVgrkYvr9k6EHXF3g6fUjbcN.png) After successful signing, a new encrypted image will be generated in the original image directory, with a filename containing the secureboot suffix, e.g. if the orignal file is vim3-ubuntu-22.04-server-linux-4.9-fenix-1.5.2-230830-emmc-develop.img, then the encrypted image is vim3-ubuntu-22.04-server-linux-4.9-fenix-1.5.2-230830-emmc-develop.20230830105011.secureboot.img Next, we will explain how to flash this encrypted image. ===== 烧录加密固件 ===== 下载并安装[USB烧录工具](https://dl.khadas.com/products/vim3/tool/usb_burning_tool_v2.2.0.zip),安装完成后需要把之前生成的文件`SECURE_BOOT_SET `拷贝到USB安装工具目录下的`licence`目录下,如:C:\Program Files (x86)\Amlogic\USB_Burning_Tool\license ![image|690×225](upload:rDGqYwbOUpPDJnwDkFQkGpRvxBx.png)

打开USB烧录工具,导入加密的固件,同时勾选`secure_boot_set`选项,然后点击`Start`开始烧录。

![9|690×493](upload:zu1OGk0Am0iJxYSBE28Vb602lfY.png) 注意:key只能烧录一次,即只在第一次烧录加密固件时勾选`secure_boot_set`,后面再次烧录时不要勾选,否则会烧录失败。 ===== 警告 ===== - Secureboot的key只能烧录一次,是不可逆的,所以在烧录时需要慎重 - 生成的key需要保管好,因为一旦烧录了key,那么以后就只能烧录用这个key签名的固件 - 一定要做完详细的测试后,确保固件可以用于生产时才开启Secureboot功能

Last modified: 2023/08/30 02:05 by nick

Page Tools

Khadas Site

Khadas Community

Khadas GitHub

Khadas Downloads